Snort mailing list archives
Re: Snort 2.9.0.1 Now Available
From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 08 Nov 2010 16:57:18 +0000
On 11/8/2010 4:45 PM, L0rd Ch0de1m0rt wrote:
Hello. I am still experiencing HTTP stream reassembly issues when trying to match across multiple fragmented packets with snort 2.9.0.1. Specifically, this happens on a HTTP POST where the headers are in a different packet than the POST data. Consider the following rule you can use along with scapy to reproduce if you want: alert tcp any any -> $HOME_NET $HTTP_PORTS (msg:"Incoming German POST to Batman"; flow:established,to_server; content:"POST"; http_method; uricontent:"/batcave/"; uricontent:"unicorns4sourcefire"; content:"|0d 0a|Accept-Language: de"; nocase; http_header; content:!"|0d 0a 0d 0a|not4batman=true&"; content:!"\; batsecret=sesstoken4robin"; http_cookie; classtype:trojan-activity; sid:8008135; rev:17;) It alerts (b/c all the URI and HTTP header stuffs match in the initial packet) but it shouldn't alert b/c the HTTP POST data starts with 'not4batman=true&' (but the POST data is in a subsequent packet than the one containing the headers). Anyone else still having issues or have done more in-depth testing with 2.9.0.1 and the HTTP pre-processor? -L0rd C.
It was reported a while back by myself directly to SourceFire in late August. I provided some PCAP's a few times and I am pretty sure they are aware of the issue and are working to resolve it. They have fixed tons of other stuff that really helps everyone out and I'm sure a fix for this will surface into the publicly released source eventually. It appears that the buffers created by the http_inspect preprocessor only work at frame level instead of at the stream level. I finally put up a blog post about it in late September here: http://trojanedbinaries.com/blog/?p=217 This is especially bad if you are using rules to block access to certain domain names in the http_header buffer when the http_uri is very long and the client is using MSIE as that puts the Host header entry at the bottom of the http_header. Requests like this are very likely to exceed the standard size MTU and get split across multiple frames. There should be some chatter on the Snort lists from myself and some of the dev/support guys recently as well. -- Eoin ------------------------------------------------------------------------------ The Next 800 Companies to Lead America's Growth: New Video Whitepaper David G. Thomson, author of the best-selling book "Blueprint to a Billion" shares his insights and actions to help propel your business during the next growth cycle. Listen Now! http://p.sf.net/sfu/SAP-dev2dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Re: Snort 2.9.0.1 Now Available, (continued)
- Re: Snort 2.9.0.1 Now Available Randal T. Rioux (Nov 03)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 08)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Steven Sturges (Nov 08)
- Re: Snort 2.9.0.1 Now Available L0rd Ch0de1m0rt (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 08)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 09)
- Re: Snort 2.9.0.1 Now Available Russ Combs (Nov 09)
- Re: Snort 2.9.0.1 Now Available Eoin Miller (Nov 08)
- Re: Snort 2.9.0.1 Now Available Eoin Miller (Nov 08)
- Re: Snort 2.9.0.1 Now Available Mike Lococo (Nov 01)
- Re: Snort 2.9.0.1 Now Available Jason Haar (Nov 02)
- Re: Snort 2.9.0.1 Now Available Mike Lococo (Nov 02)
- Re: Snort 2.9.0.1 Now Available Mike Lococo (Nov 02)